System Check aftermath

Friends PC had out of date NIS 2009 and got infected with System Check.
Ran Malwarebytes in safe mode and after reboot I was able to get the program list back and un-hide the folders.
Loaded NIS 2012, updated and scanned, removed flagged items.

Problem now is this.
On boot, if you try to run Internet Explorer, it takes about 10-15 minutes for the program to start, the iexplore.exe process starts right away but the program won't appear till 10-15 minutes later. Internet access is fine and I can ping websites from a command line right after boot.
NIS 2012 shows Zeroaccess Rootkit and Tidserv needing manual removal.
Ran their tools, FixTDSS.exe and FixZeroAccess.exe but it still detects them.
Also ran Norton Power Eraser with same results so here I am, any help will be greatly appreciated.

Steve, I'll be glad to help. But please don't run any more random scan. The one thing I want you to do while I finish checking these logs is to go back and rerun Malwarebytes again and be sure to check the line in the instructions in red:

When the scan is complete, click OK, then Show Results to view the results.

Be sure that everything is checked, and click Remove Selected.

When completed, a log will open in Notepad. please attach this log with your reply

Click to expand...

If you look at the Mbam log, you will see No Action Taken by all the entries. Leave the new log.
=========================================My Guidelines: please read and follow:

Be patient. Malware cleaning takes time. I am also working with other members while I am helping you.

Read my instructions carefully. If you don't understand or have a problem, ask me. Follow the order of the tasks I give you. Order is crucial in cleaning process.

If you have questions, or if a program doesn't work, stop and tell me about it. Don't try to get around it yourself.

File sharing programs should be uninstalled or disabled during the cleaning process..

Observe these:
[o] Don't follow directions given to someone else
[o] Don't use any other cleaning programs or scans while I'm helping you.
[o] Don't use a Registry cleaner or make any changes in the Registry.
[o] Don't download and install new programs- except those I give you.

If I haven't replied back to you within 48 hours, you can send a PM with your thread link in it as a reminder. Do not include technical problems from your thread. Support is given only in the forum.Threads are closed after 5 days if there is no reply.

There are still noticeable malware entries. I see Norton was installed on 2/28- was there any AV or security running on the system before that?
==============================
We are going to let Combofix remove some of the malware for us:Please note: If you have previously run Combofix and it's still on the system, please uninstall it. Then download the current version and do the scan: Uninstall directions, if needed

Click START> then RUN

Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.

-------------------------------------- Download Combofix from HERE or HERE and save to the desktop

Double click combofix.exe & follow the prompts.

If prompted for Recovery Console, please allow.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.[/b]

Note: If Combofix was downloaded to a flash drive, the Recovery Console will not install- just bypass and go on.[/b]

Note: No query will be made if the Recovery Console is already on the system.

.Close/disable all anti virus and anti malware programs
(If you need help with this, please see HERE)

.Close any open browsers.

.Click on Yes, to continue scanning for malware

.If Combofix asks you to update the program, allow

When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..

Re-enable your Antivirus software.Note 1:Do not mouse-click Combofix's window while it is running. That may cause it to stall.Note 2:If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion", restart the computer. Note 3:CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
=============================================It is important that you do not delete any files from your Temp folder or use any temp file cleaners

System Check is a fake (Rogue) computer analysis and optimization program.

The 'alerts' tell you the problems have lead to corrupt and missing data

It will display false error messages and security warnings.

It "hides" Icons, desktop, programs and files so that they appear to be missing and some programs can't be run

This can be installed through hacked sites that exploit vulnerabilities on the system or through fake online scanner pages

The malware is configured to automatically start when you logon to Windows.

It can also be started if you click on any of these alerts.

Note: You may not experience all of the above, but it is important to tell me what problems you do have.
============================================
See below. Do this if needed: Press Windows+R key> type cmd> OK

Press Enter
==============================Please print out the following instructions. It is important that the order of the scan below be followed exactly. Please read through all of the instructions before you begin.
--------------------------Note: If you are not 'missing' folders, icons, programs, etc. you can skip #1 and start with #2[/u]
The following can be run first to allow you to 'see' the programs, files,etc. But it is important that you understand that this does not remove the malware, only the attribute to hide these features. So it is important that you continue with the cleaning:
1. Download Unhide.exe and save to the desktop.

Double-click on Unhide.exe icon to run the program.

This program will remove the +H, or hidden, attribute from all the files on your hard drives.

Note: This does not remove the malware- only the attribute that hides icons and programs. It is important that you continue.
================================
2. Boot into Safe Mode with Networking

Restart your computer and start pressing the F8 key on your keyboard.

Select the Safe Mode with Networking option when the Windows Advanced Options menu appears, using your up/down arrows to reach it and then press ENTER.

=======================================
3. To end the processes that belong to the rogue program:
Please click on RKill

At the download page, click on Download now button for iExplore.exe download link and save to the desktop

Double click on the iExplore.exe icon

Please be patient- it may take a bit.

The black Window will close when through and you can continue.

Note: If you get a message that RKilll is malware, ignore it> it's from the malware.
=======================================Do not reboot your computer after running RKill as the malware programs will start again.
================================
4. This malware frequently comes with the TDSSrootkit, so do the following:

Download the file TDSSKiller.zip and save to the desktop.(If you are unable to download the file for some reason, then TDSS may be blocking it. You would then need to download it first to a clean computer and then transfer it to the infected one using an external drive or USB flash drive.)

Right-click the tdsskiller.zip file> Select Extract All into a folder on the infected (or potentially infected) PC.

Double click on TDSSKiller.exe. to run the scan

When the scan is over, the utility outputs a list of detected objects with description.
The utility automatically selects an action (Cure or Delete) for malicious objects.
The utility prompts the user to select an action to apply to suspicious objects (Skip, by default).

Select the action Quarantine to quarantine detected objects.
The default quarantine folder is in the system disk root folder, e.g.: C:\TDSSKiller_Quarantine\23.07.2010_15.31.43 Save log and post in next reply.

After clicking Next, the utility applies selected actions and outputs the result.

A reboot is required after disinfection.

====================================
If TDSSKiller requires you to reboot, please allow it to do so. After you reboot, reboot back into Safe Mode with Networking again
====================================
5. Update and rescan with Malwarebytes:

Select Perform Full Scan on the Scanner tab

Click on the Scan button.

When scan has finished, you will see this image:

Click on OK to close box and continue.

Click on the Show Results button.

Click on the Remove Selected button to remove all the listed malware.

At end of malware removal, the scan log opens and displays in Notepad. Be sure to click on Format>Uncheck Word Wrap before copying the log to paste in your next reply.

==============================
6.Correct Display Changes if needed:If the desktop background is black or if the theme has been removed:

Click on Start> Control Panel> Appearance & Personalization

Select Change Theme or Change Desktop Background

=====================================
7.Some items may not show on the Start menu. To add them back:

Right click on Start> Properties

Taskbar and Start Menu Properties screen appears

choose Start Menu tab> Click on Customize

For Windows XP> Choose Advanced tab

Check the items you want back on the Start Menu

When finished> click on OK> Apply and close.

===================================== You can now reboot back into Normal Mode.
Please leave logs for Combofix, TDSSKiller and new Malwarebytes full scan in your next reply.

Finished with your instructions, here are the three new logs.
Combofix took about an hour to complete.
TDSSkiller found nothing and Malwarebytes only found one file and removed it.

On boot into windows normal mode I still get about a 20 minute delay between trying to start internet explorer, AOL, Task Manager etc, and when they finally open. I can however go to a command prompt right away and ping a website OK.

I think you can close this thread as I seem to have fixed the other issues.

The slow start up was due to some startup services left behind by these viruses. The startup entries were still active even though the .exe files had been removed. When I removed them with MSCONFIG and restarted, the slow start up was gone.

The second fix was for Windows Update which was broken. I followed the instructions in a knowledge base article and was able to fix that.